security: Cookie-controlled PHP webshells: A stealthy tradecraft in Linux hosting environments
Microsoft Security Blog
2026-04-02
Microsoft describes a Linux-hosting intrusion technique where PHP webshells are triggered by specially crafted HTTP cookies. The post covers obfuscation, php-fpm execution, and cron-based persistence used to hide activity and maintain access.